[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] W32/Mix.2048 HTML/JavaScript-Virus: Das Ende der HTML-E-Mail?
- To: debate@fitug.de
- Subject: [FYI] W32/Mix.2048 HTML/JavaScript-Virus: Das Ende der HTML-E-Mail?
- From: "Axel H Horns" <horns@t-online.de>
- Date: Tue, 25 Jan 2000 20:36:46 +0200
- Comment: This message comes from the debate mailing list.
- Comments: Sender has elected to use 8-bit data in this message. If problems arise, refer to postmaster at sender's site.
- Organization: PA Axel H Horns
- Reply-to: horns@t-online.de
- Sender: owner-debate@fitug.de
Das FBI bietet auf seiner Website einen aeusserst informativen
Service an, den man nicht verabsaeumen sollte, wenn man fuer On-Line-
Systeme Verantwortung traegt:
http://www.fbi.gov/nipc/cybernotes.htm
------------------------------- CUT ------------------------------
CyberNotes is published every two weeks by the National
Infrastructure Protection Center (NIPC). Its mission is to support
security and information system professionals with timely information
on cyber vulnerabilities, hacker exploit scripts, hacker trends,
virus information, and other critical infrastructure-related best
practices.
[...]
------------------------------- CUT ------------------------------
In den CyberNotes findet sich schoen uebersichlich eine
Zusammenstellung aller neuen Sicherheitsloecher, nach Produkten
sortiert.
In der juengsten Ausgabe fand ich nun aber folgendes:
http://www.fbi.gov/nipc/cyberissue2000-01.pdf
------------------------------- CUT ------------------------------
NIPC CyberNotes #200001 Page 18 of 23 01/19/2000
[...]
W32/Mix.2048: (Aliases: VMS/Mix, W32/HTM.H[H04.2048, W32/Mix,
W32/Mix.dll.dr) This is a virus coded in JavaScript and Hypertext
Markup Language to infect web page files of extensions .HTM, .HTML.
and .ASP. The virus also writes a debug script and implements the
program DEBUG.EXE to build a PE infector. The virus first searches
through all the directories on the hard drive in which web pages
might be found (HTM, ASP, HTT and HTML file extensions) and infects
them, increasing them in size by 23549 bytes. The exact directories
in which the virus searches are the following:
C:\My Documents
C:\Windows\Desktop
C:\Windows\Web
C:\Mis Documentos
C:\Windows\Help
C:\Windows\Escritorio
C:\Win2000\Web
C:\Win2000\Help
C:\Program Files\Internet Explorer\Connection Wizard
C:\Program Files\Microsoft Office\Office\Headers
C:\Inetpub\wwwroot
Once it has finished this first action, W32/HTM.H4[H04.2048 creates a
file in the root directory called [H4[h04.DLL, which contains the
machine code for the virus that accompanies it (dropper). In order to
compile the dropper machine code, three new BAT files are created:
Help.bat, in C:\Windows\Desktop\
SEXYNOW!.BAT, in C:\
README.BAT, in C:\
When a user executes any of these files, [H4[h04.DLL is compiled and
converted into a Windows virus. This is a direct action virus that
infects EXE, CPL and SCR files in the current folder and in system
directories such as C:\Windows and C:\Windows\System. The virus does
not infect files smaller than 10000 bytes in size and is encrypted
using an XOR operator with a Dword mask. It copies itself at the end
of targeted files and increases the last section of code by 2048
bytes. The damaging effect of this virus is the deletion of external
vaccine files and the virus signature files of several AntiVirus
manufacturers. The files that are deleted are the following:
Antivir.dat
Chklist.dat
Chklist.tav
Chklist.MS
Chklist.cps
Avp.crc
vb.ntz
Smartchk.cps
Avp.set
Scan.dat
Dec2.dll
Ap.vir
Ap.sig
Tbscan.sig
------------------------------- CUT ------------------------------
Mag sein, dass ich etwas hinter dem Mond bin, aber dies ist fuer mich
der erste *konkrete* Aufweis eines HTML / JavaScript-Virus.
Wenn ich das recht interpretiere, sollten damit die Tage, in denen
HTML-e-Mails (insbesondere in Listen) noch toleriert wurden, nunmehr
endgueltig ihrem Ende entgegengehen.
Axel H Horns